'[gentoo-dev] Review for patch to pax-utils.eclass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    [gentoo-dev] Review for patch to pax-utils.eclass
From:       "Anthony G. Basile" <blueness () gentoo ! org>
Date:       2016-08-27 0:22:55
Message-ID: 8b4e0241-79b2-a788-5189-af67d16d03d0 () gentoo ! org
[Download RAW message or body]

I'd like to commit the following change to the pax-utils.eclass to
address bug #590422.  I'm submitting it to the list for review.


-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

["pax-utils-safe-paxctl.patch" (text/plain)]

commit 6dcad31d0a6558eb70f5c46689fe4d4246d80bb1
Author: Anthony G. Basile <blueness@gentoo.org>
Date:   Fri Aug 26 20:02:44 2016 -0400

    pax-utils.eclass: do not attempt to create/convert a PT_PAX_FLAGS program header
    
    Support for the creation of PT_PAX_FLAGS program headers in ELF objects is being
    dropped in >=sys-devel/binutils-2.26.1.  Running paxctl -C or -c either to create
    a PT_PAX_FLAGS header or to convert a PT_GNU_STACK header on such ELF objects
    results in broken executables.  For backwards compatibility we continue to \
support  PT_PAX_FLAGS markings with paxctl but remove these unsafe methods from the \
eclass.  
    Gentoo-Bug: https://bugs.gentoo.org/show_bug.cgi?id=590422

diff --git a/eclass/pax-utils.eclass b/eclass/pax-utils.eclass
index 9ed1170..386a7f6 100644
--- a/eclass/pax-utils.eclass
+++ b/eclass/pax-utils.eclass
@@ -1,4 +1,4 @@
-# Copyright 1999-2015 Gentoo Foundation
+# Copyright 1999-2016 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 # $Id$
 
@@ -6,8 +6,8 @@
 # @MAINTAINER:
 # The Gentoo Linux Hardened Team <hardened@gentoo.org>
 # @AUTHOR:
-# Original Author: Kevin F. Quinn <kevquinn@gentoo.org>
-# Modifications for bugs #365825, #431092, #520198, @ ECLASS markup: Anthony G. \
Basile <blueness@gentoo.org> +# Author: Kevin F. Quinn <kevquinn@gentoo.org>
+# Author: Anthony G. Basile <blueness@gentoo.org>
 # @BLURB: functions to provide PaX markings for hardened kernels
 # @DESCRIPTION:
 #
@@ -82,11 +82,9 @@ pax-mark() {
 				einfo "PT_PAX marking -${flags} ${f} with paxctl"
 				# First, try modifying the existing PAX_FLAGS header.
 				paxctl -q${flags} "${f}" >/dev/null 2>&1 && continue
-				# Second, try creating a PT_PAX header (works on ET_EXEC).
-				# Even though this is less safe, most exes need it. #463170
-				paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
-				# Third, try stealing the (unused under PaX) PT_GNU_STACK header
-				paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
+				# We no longer try to create or convert a PT_PAX header, bug #590422
+				# paxctl -qC${flags} "${f}" >/dev/null 2>&1 && continue
+				# paxctl -qc${flags} "${f}" >/dev/null 2>&1 && continue
 			fi
 
 			# Next try paxctl-ng -> this will not create/convert any program headers.



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic